From dac0ae49766482840567ddd9b8be7123297a24ea Mon Sep 17 00:00:00 2001
From: akallabeth <akallabeth@posteo.net>
Date: Tue, 13 Aug 2024 15:54:03 +0200
Subject: [PATCH] [crypto,cert] extend certificate store API

Use the certificate PEM without trustchain in the local trust store, but
keep the full PEM with chain for the user facing callbacks.
---
 include/freerdp/crypto/certificate_data.h |  2 ++
 libfreerdp/crypto/certificate_data.c      | 16 +++++++++++++++-
 libfreerdp/crypto/certificate_store.c     |  2 +-
 3 files changed, 18 insertions(+), 2 deletions(-)

diff --git a/include/freerdp/crypto/certificate_data.h b/include/freerdp/crypto/certificate_data.h
index 275d65481..96a620dc8 100644
--- a/include/freerdp/crypto/certificate_data.h
+++ b/include/freerdp/crypto/certificate_data.h
@@ -60,6 +60,8 @@ extern "C"
 	FREERDP_API UINT16 freerdp_certificate_data_get_port(const rdpCertificateData* cert);
 
 	FREERDP_API const char* freerdp_certificate_data_get_pem(const rdpCertificateData* cert);
+	FREERDP_API const char* freerdp_certificate_data_get_pem_ex(const rdpCertificateData* cert,
+	                                                            BOOL withFullChain);
 	FREERDP_API const char* freerdp_certificate_data_get_subject(const rdpCertificateData* cert);
 	FREERDP_API const char* freerdp_certificate_data_get_issuer(const rdpCertificateData* cert);
 	FREERDP_API const char*
diff --git a/libfreerdp/crypto/certificate_data.c b/libfreerdp/crypto/certificate_data.c
index 04b5432e5..79b38284f 100644
--- a/libfreerdp/crypto/certificate_data.c
+++ b/libfreerdp/crypto/certificate_data.c
@@ -48,6 +48,7 @@ struct rdp_certificate_data
 	char* cached_issuer;
 	char* cached_fingerprint;
 	char* cached_pem;
+	char* cached_pem_chain;
 };
 
 /* ensure our hostnames (and therefore filenames) always use the same capitalization.
@@ -83,10 +84,15 @@ static BOOL freerdp_certificate_data_load_cache(rdpCertificateData* data)
 		data->cached_subject = calloc(1, 1);
 
 	size_t pemlen = 0;
-	data->cached_pem = freerdp_certificate_get_pem(data->cert, &pemlen);
+	data->cached_pem = freerdp_certificate_get_pem_ex(data->cert, &pemlen, FALSE);
 	if (!data->cached_pem)
 		goto fail;
 
+	size_t pemchainlen = 0;
+	data->cached_pem_chain = freerdp_certificate_get_pem_ex(data->cert, &pemchainlen, TRUE);
+	if (!data->cached_pem_chain)
+		goto fail;
+
 	data->cached_fingerprint = freerdp_certificate_get_fingerprint(data->cert);
 	if (!data->cached_fingerprint)
 		goto fail;
@@ -179,6 +185,7 @@ void freerdp_certificate_data_free(rdpCertificateData* data)
 	free(data->cached_issuer);
 	free(data->cached_fingerprint);
 	free(data->cached_pem);
+	free(data->cached_pem_chain);
 
 	free(data);
 }
@@ -198,9 +205,16 @@ UINT16 freerdp_certificate_data_get_port(const rdpCertificateData* cert)
 }
 
 const char* freerdp_certificate_data_get_pem(const rdpCertificateData* cert)
+{
+	return freerdp_certificate_data_get_pem_ex(cert, TRUE);
+}
+
+const char* freerdp_certificate_data_get_pem_ex(const rdpCertificateData* cert, BOOL withFullChain)
 {
 	if (!cert)
 		return NULL;
+	if (withFullChain)
+		return cert->cached_pem_chain;
 	return cert->cached_pem;
 }
 
diff --git a/libfreerdp/crypto/certificate_store.c b/libfreerdp/crypto/certificate_store.c
index bd182b43c..d66e15b02 100644
--- a/libfreerdp/crypto/certificate_store.c
+++ b/libfreerdp/crypto/certificate_store.c
@@ -116,7 +116,7 @@ BOOL freerdp_certificate_store_save_data(rdpCertificateStore* store, const rdpCe
 	if (!fp)
 		goto fail;
 
-	fprintf(fp, "%s", freerdp_certificate_data_get_pem(data));
+	fprintf(fp, "%s", freerdp_certificate_data_get_pem_ex(data, FALSE));
 
 	rc = TRUE;
 fail: